Thursday, November 28, 2019

Upgrade path from basic pfsense routers? (Shadow IT)

Hi there, I work for an internal tools group inside a relatively-huge company. For various reasons, we've been forced to deploy our own infrastructure pods at various sites to speed things up. At the moment, we use a pair of pfsense boxes as the gateway into the pod, allowing us to have a bit finer-grained access control at that network boundary. (They also allow us to conveniently NAT out certain functions as and when required, and keep other services internal to that pod.) Multiple WAN connections are common, but we don't really do any IPS or IDS, which are corporate IT's problem father up the chain. (These are primarily management devices, not a security barriers!)

Now, pfsense is great and all, but it has a few major drawbacks that I'm sure folks using them may be very familiar with (although it has a killer web UI that's absolutely fantastic):

  1. No automated setup (API or CLI). (Sorry, the php shell just doesn't really do it for us.)
  2. Occasional support or purchasing issues due to Netgate's small size.

Required feature summary:

  1. HA IPv4 IPs (something similar to CARP). (IPv6 obviously supports multiple gateways to begin with.)
  2. Basic flow-based firewall, no IDS, IPS, fancy features.
  3. Good API and/or CLI.
  4. Decent web UI.
  5. 10 Gbit/s traffic handling in basic layer 3 NAT forwarding role.
  6. Site-to-site and client VPN capability. (Speed not very critical, sub-gigabit.)
  7. Reliable hardware.
  8. Excellent 24/7 support.

What upgrade paths, vendors, etc... have folks tried from a basic setup like this? I'm aware of and have been investigating several (will post results here too for folks to learn from):

  1. Setting up our own Linux-based routers. (Not really desirable due to complexity and the amount of folks we have available to build and maintain them.)
  2. Fortinet (investigating in our lab).
  3. Sophos (investigating in our lab).
  4. Palo Alto (used by corporate IT, but way beyond for what we need and priced accordingly)
  5. Cisco ASA (not heard great things).
  6. Juniper (we're currently an Arista shop, so this is not really being looked at very hard).


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)